Logue was in a position to display (in a proof of idea), creating monetary sheets with crafted directions in white textual content. A profitable exploit led the consumer to the attacker-controlled login. “Once I requested M365 Copilot to summarize the doc, it now not informed me it was about monetary data and as an alternative, responded with an excuse that the doc contained delicate data and couldn’t be seen with out correct authorization or logging in first,” Logue stated.
The larger risk of oblique immediate injection
The incident underscores that the chance goes past easy “immediate injection,” the place a consumer varieties malicious directions instantly into an AI. Right here, the attacker hides directions inside doc content material that will get handed into the assistant with out the consumer’s consciousness. Logue described how the hidden directions use progressive activity modification (e.g, “first summarise, then ignore that and do X”) layered throughout spreadsheet tabs.
Moreover, the disclosure exposes a brand new assault floor the place the diagram-generation function (Mermaid output) turns into the exfiltration channel. Logue defined that clicking the diagram opened a browser hyperlink that quietly despatched the encoded e-mail knowledge to an attacker-controlled endpoint. The switch occurred via a normal internet request, making it indistinguishable from a reliable click-through in lots of environments.
